Update: Cloudflare’s response indicates that this is a customer-specific rule and not a global policy. They did not mention what kind of rule is triggering this behavior though.

It appears that Firefox is now flagged as “suspicious” by Cloudflare’s anti-bot protection. When you browse to certain websites hosted on Cloudflare’s CDN and using this service, Firefox is served back a Javascript challenge. This is how it looks like:

Checking your browser

You can test it yourself: Browse to https://www.g2.com, which is a software reviews website. If you use Chrome or Edge, you will get the site’s content. However, use Firefox and you’ll most likely be served the challenge instead (make sure to clear cookies before). This basically means you must have JS enabled to access the site and you will incur a 2-3 seconds delay before the content is served.

This is not a good prospect for the open-source browser. If this behavior gets adapted on more sites, we can expect even more users leaving Firefox, as every web access will take a few more seconds.

From a technical standpoint it doesn’t make sense either. I don’t see any reason to “suspect” Firefox is a bot. If anything, Chrome is probably being used for web scraping at a much higher rate through projects like Puppeteer.

To be clear, I don’t believe this behavior is intentional on Cloudflare’s side. The way they identify which browser you are using is through a combination of TLS fingerprinting and HTTP fingerprinting (on which I might write an extended explanation later on). What I believe to be happening is that Cloudflare whitelists the signatures of browsers with large-enough market share, and Firefox happens to fall below that threshold. Even if that is the case, I do expect Cloudflare to actively whitelist Firefox. Open-source browsers are an important part of the web and should not be treated differently than their closed-source counterparts.